Operational Risk: Fraud Risk Management Principles

Share This Page:

To

Chief Executive Officers and Chief Risk Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

The Office of the Comptroller of the Currency (OCC) is issuing this bulletin to inform national banks, federal savings associations, and federal branches and agencies (collectively, banks) of sound fraud risk management principles. This bulletin supplements other OCC and interagency issuances on corporate and risk governance, including the references listed in appendix A of this bulletin.

Note for Community Banks

This guidance applies to all OCC-supervised banks.

Highlights

The risk management principles addressed in this bulletin include the following:

A bank should have sound corporate governance practices that instill a corporate culture of ethical standards and promote employee accountability.

A bank’s risk management system should include policies, processes, personnel, and control systems to effectively identify, measure, monitor, and control fraud risk consistent with the bank’s size, complexity, and risk profile.

A bank’s risk management system and system of internal controls should be designed to

prevent and detect fraud.

appropriately respond to fraud, suspected fraud, or allegations of fraud.

Bank management should assess the likelihood and impact of potential fraud schemes and use the results of this assessment to inform the design of the bank’s risk management system.

Senior management and the board of directors should measure, monitor, and understand fraud losses across the enterprise and employ tools that appropriately quantify and assess loss experience and exposure.

Control reviews and audits should include fraud risk as part of their assessments.

Fraud risk management principles can be implemented in a variety of ways and may not always be structured within a formal fraud risk management program. Regardless of the structure, fraud risk management should be commensurate with the bank’s risk profile. Banks with significant and far-reaching retail-oriented business activities should have well-documented fraud risk management programs with appropriate monitoring, measurements and reporting, and mitigation.

Background

Fraud may generally be characterized as an intentional act, misstatement, or omission designed to deceive others, resulting in the victim suffering a loss or the perpetrator achieving a gain.1 Fraud is typically categorized as internal or external.

Internal fraud occurs when a director, an employee, a former employee, or a third party engaged by the bank commits fraud, colludes to commit fraud, or otherwise enables or contributes to fraud.

External fraud consists of first-party fraud and victim fraud. External fraud is committed by a person or entity that is not a bank employee, a former employee, or a third party engaged by the bank.

First-party fraud occurs when an external party, including a bank customer, commits fraud against the bank.

Victim fraud occurs when a bank customer or client is the victim of an intentional fraudulent act.

Fraud schemes are often ongoing crimes that can go undetected for months or even years and can be time consuming and costly to address. It is often difficult to fully understand and quantify the extent of the fraud and the harm caused. Measuring losses associated with fraud is often an inexact process. Typically, the true cost of fraud is greater than the direct financial loss, given the time and expense to investigate, loss of productivity, potential legal and compliance costs associated with remediation, and impact on a bank’s reputation.

Fraud risk is a form of operational risk, which is the risk to current or projected financial condition and resilience arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events.2 Operational risk management weaknesses can result in heightened exposure to fraudulent activities, which can increase a bank’s exposure to reputation and strategic risks. Failure to maintain an appropriate risk management system could expose the bank to the risk of significant fraud, defalcation (e.g., misappropriation of funds by an employee), and other operational losses.

Governance

Strong governance is of paramount importance to controlling the bank’s exposure to fraud, and a strong corporate culture against fraud is crucial regardless of a bank’s size or complexity. The tone at the top sets the foundation on which the bank operates. The board and senior management have a responsibility to lead by example and demonstrate that the bank is serious about promoting ethical behavior to deter and prevent fraud. The board-adopted code of ethics (or code of conduct) should encourage the timely communication and escalation of suspected fraud through the appropriate oversight channel.

The board is ultimately responsible for oversight but may delegate fraud risk management-related duties to specific committees (for example, the audit committee or operational risk management committee). The board also may delegate anti-fraud responsibilities to specific executives and managers, including those in charge of managing risks and controls. Roles and responsibilities should be clearly defined. The board should hold management accountable for effective fraud risk management and alignment of anti-fraud efforts with the bank’s strategy, objectives, risk appetite, and operational plans. While not all fraud can be avoided, an active board can foster an environment in which fraud is more likely to be prevented, deterred, and promptly detected.

A sound corporate culture should discourage imprudent risk-taking. Incentives or requirements for employees to meet sales goals, financial performance goals, and other business goals, particularly if such goals are aggressive, can result in heightened fraud risk.3

Risk Management

Sound fraud risk management principles should be integrated within the bank’s risk management system commensurate with the bank’s size, complexity, and risk profile. Bank management should periodically assess the likelihood and impact of potential fraud schemes and use the documented results of this assessment to inform the design of the bank’s risk management system and evaluate fraud control activities. Policies should clearly define, establish, and communicate the board’s and senior management’s commitment to fraud risk management. Processes should be designed to anticipate fraud and deploy a combination of preventive controls and detective controls. Detective controls are important because even with strong governance and oversight, collusion or circumvention of internal controls can allow fraud to occur. Some practices and controls may be both preventive and detective in nature.

Preventive controls are designed to deter fraud or minimize its likelihood. The following are some examples:

Monitoring and analysis of civil and criminal subpoenas received by the bank or information requests under section 314 of the USA PATRIOT Act8

Monitoring and analysis of Bank Secrecy Act report filings by the bank and its affiliates

Monitoring of news and other information concerning civil and criminal lawsuits

Ethics and whistleblower reporting channels or hotlines

Exit interviews for departing employees

Software and technology tools, developed internally or purchased from a third party, can assist with anti-fraud efforts. Bank management should consider the cost and value of fraud prevention tools selected, consistent with the bank’s overall strategy, complexity, and risk profile. Depending on the specific products and services offered, management might deploy solutions that serve to detect anomalies and prevent potential fraudulent transactions or activities. These solutions can monitor transactions and behaviors, employ layered or multifactor authentication, monitor networks for intrusions or malware, analyze transactions on internal bank platforms, and compare data with consortium or publicly available data. Banks’ fraud prevention and detection tools should evolve and adapt to remain effective against emerging fraud types.

Fraud Risk Measurement and Monitoring

Senior management should understand the bank’s exposure to fraud risk and associated losses across all business lines and functions and use this information to effectively monitor and manage fraud risk. The board should receive regular reporting on the bank’s fraud risk assessment, resulting exposure to fraud risk, and associated losses to enable directors to understand the bank’s fraud risk profile. Reporting should allow management and directors to measure performance. Practices can include benchmarking current fraud losses against loss history or industry data.

Examples of metrics and analysis banks can use to measure and monitor fraud risk include the following:

Management should identify fraud losses as internal or external. Larger, more complex banks generally maintain this information in an operational loss database or similar system.9

Fraud Response, Reporting, and Information Sharing

A bank’s policies, processes, and control systems should prompt appropriate and timely investigations into, responses to, and reporting of suspected and confirmed fraud. Banks should have processes for internal investigations, law enforcement referrals, regulatory notifications,10 and reporting. A bank is required to file a SAR for known or suspected fraud meeting regulatory thresholds.11 Reporting mechanisms should relay relevant, accurate, and timely fraud-related information from all lines of business to appropriate oversight channels.

Sound fraud risk management processes can include voluntary sharing of information with other financial institutions under section 314(b) of the USA PATRIOT Act. Pursuant to section 314(b), before exchanging information, the bank must register with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). Current section 314(b) participants may share information with one another regarding individuals, entities, organizations, and countries for purposes of identifying and, when appropriate, reporting activities that may involve possible specified unlawful activities. FinCEN has issued guidance clarifying that, if section 314(b) participants suspect that transactions may involve the proceeds of specified unlawful activities, such as fraud, under the money laundering statutes,12 information related to such transactions can be shared under the protection of the section 314(b) safe harbor.13

Reviews and Audits

A bank should design and perform reviews and audits specific to the bank’s size, complexity, organizational structure, and risk profile. Reviews and audits should be designed to assess the effectiveness of the bank’s internal controls and fraud risk management. Effective internal and external audit programs are a critical defense against fraud and provide vital information to the board of directors about the effectiveness of internal control systems.

When auditing financial statements and asserting effectiveness of internal controls over financial reporting, auditors must consider a material misstatement due to fraud.15 If the auditor identifies that fraud may be present, the auditor must discuss these findings with the board or management in a timely fashion.16 The auditor must also determine whether they have a responsibility to report the suspected fraud to the OCC.17

Findings and results from audits and reviews should be communicated to the relevant parties in a timely manner. Management should take timely and effective corrective action in response to deficiencies identified.

7 Refer to the “Compliance Management Systems” booklet of the Comptroller’s Handbook for more information.

8 Refer to 31 CFR 1010.520, “Information Sharing Between Government Agencies and Financial Institutions,” and 1010.540, “Voluntary Information Sharing Among Financial Institutions.” Refer also to the “Information Sharing” section of the FFIEC BSA/AML Examination Manual.

9 Refer to the “Large Bank Supervision” booklet of the Comptroller’s Handbook and OCC Bulletin 2011-21, “Interagency Guidance on the Advanced Measurement Approaches for Operational Risk.”

10 Banks should notify regulators of significant incidents that could affect the bank’s condition, operations, reputation, or customer information. Banks also should notify regulators of significant incidents that could affect the financial system.